In the Global Protect configuration, are you using Split tunnel? that is, are you only using the tunnel for your local tunnels? If so, for example, if you do not set any DNS, in the configuration (it makes sense since they are using public) of global protect, the client will use the DNS of the network from which it is connecting, that is, the DNS that it gives you the network of the house, cafe, restaurant, office etc etc.
Now if you are not using split, that is, you use 0.0.0.0/0, therefore you are forwarding all global protect VPN traffic, through Palo Alto, you must set the corresponding security rule(s) and the "NAT" policy is important. " ( Source Nat ) for the network segment you use for global protect so that it can go out to the Internet through the PA.
Now if you are using split for some resources, but you are fixing and setting the DNS, that DNS connection will be made through Palo Alto, then you must apply the security and NAT (Source Nat) policies that allow the network traffic from global protect to the DNS, example towards 9.9.9.9, 8.8.8.8, 1.1.1.1, etc. that is to say, the global protect network must go to resolve those public dns to the internet, then as it will do it through the PA, you must apply the NAT rule ( Source NAT ) for the global protect network with destination to those public DNS IPs and the security policy.
Best regards
